About CVE-2021-44850 – Zynq 7000 SoC devices design weakness (10th Feb 2022)

Preface: SOC → System on Chip. It is basically a cluster collection or group of different types of processor components like CPU[,GPU,Modems, DSP units and memory units.

ASIC → Application Specific Integrated Circuits. ASICs are chip that is basically hardwired to do a specific job.

Background: The SD/SDIO controller is compatible with the standard SD Host Controller Specification Version 2.0 Part A2 with SDMA (single operation DMA), ADMA1 (4 KB boundary limited DMA), and ADMA2 (ADMA2 allows data of any location and any size to be transferred in a 32-bit system memory – scatter-gather DMA) support. The core also supports up to seven functions in SD1, SD4, but does not support SPI mode. It does support SD high-speed (SDHS) and SD High Capacity (SDHC) card standards.

The Zynq®-7000 SoC family integrates the software programmability of an ARM®-based processor with the hardware programmability of an FPGA, enabling key analytics and hardware acceleration while integrating CPU, DSP, ASSP, and mixed signal functionality on a single device.

To build a custom Linux image, it’s recommended that you start with a Petalinux BSP for one of the Xilinx boards, and then customize the configuration to suit your needs.

Vulnerability details: A vulnerability has been found in Xilinx Zynq-7000 and classified as critical. On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot image allows for a buffer overflow attack in the ROM.

Ref: The SDIO controller is not documented in details because The SD/SDIO controller is compatible with the standard SD Host Controller Specification Version 2.0 Part A2.

Refer to the Zynq design, the ROM resets all of the interesting SDIO config registers each time it goes to send a command. Found that even though it blocks on the transaction completion. It doesn’t clear out the DMA base address register . If attacker modify the transfer data size, it can trigger a buffer overflow in this circumstance.

Official announcement: Refer the link for details – https://support.xilinx.com/s/article/76964?language=zh_CN

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.